ZadeNor AI
Back to Blog
Cybersecurity

Patch Tuesday, January 2026 Edition

January 14, 2026
5 min
1,838 views
By ZadeNor AI Team
Patch Tuesday, January 2026 Edition

Patch Tuesday, January 2026 Edition

Microsoft's January Patch Tuesday: A Comprehensive Look at the Latest Security Fixes

Microsoft has released a massive batch of patches to address 113 security vulnerabilities in its various Windows operating systems and supported software. Among these, eight critical flaws have earned the company's most-dire "critical" rating, and it's warning that attackers are already exploiting one of the bugs fixed today.

Zero-Day Flaw in Desktop Window Manager

January's Microsoft zero-day flaw, CVE-2026-20805, is a particularly concerning issue. This vulnerability affects the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a user's screen. According to Kev Breen, senior director of cyber threat research at Immersive, despite awarding CVE-2026-20805 a middling CVSS score of 5.5, Microsoft has confirmed its active exploitation in the wild, indicating that threat actors are already leveraging this flaw against organizations.

Breen explained that vulnerabilities of this kind are commonly used to undermine Address Space Layout Randomization (ASLR), a core operating system security control designed to protect against buffer overflows and other memory-manipulation exploits. By revealing where code resides in memory, this vulnerability can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack.

Microsoft Office Remote Code Execution Bugs

Among the critical flaws patched this month are two Microsoft Office remote code execution bugs (CVE-2026-20952 and CVE-2026-20953) that can be triggered just by viewing a booby-trapped message in the Preview Pane. These vulnerabilities are particularly concerning because they can be exploited without any user interaction, making them a significant threat to organizations.

Legacy Modem Drivers Removed

Microsoft has also removed two legacy modem drivers from Windows, agrsm64.sys and agrsm.sys, due to a broadly similar reason: Microsoft is aware of functional exploit code for an elevation of privilege vulnerability in a very similar modem driver, tracked as CVE-2023-31096. According to Adam Barnett at Rapid7, this vulnerability was originally published via MITRE over two years ago, alongside a credible public writeup by the original researcher.

Windows Secure Boot Vulnerability

Immersive, Ivanti, and Rapid7 all called attention to CVE-2026-21265, which is a critical Security Feature Bypass vulnerability affecting Windows Secure Boot. This security feature is designed to protect against threats like rootkits and bootkits, and it relies on a set of certificates that are set to expire in June 2026 and October 2026. Once these 2011 certificates expire, Windows devices that do not have the new 2023 certificates can no longer receive Secure Boot security fixes.

Mozilla Firefox Updates

Mozilla has released updates for Firefox and Firefox ESR resolving a total of 34 vulnerabilities, two of which are suspected to be exploited (CVE-2026-0891 and CVE-2026-0892). Both are resolved in Firefox 147 (MFSA2026-01) and CVE-2026-0891 is resolved in Firefox ESR 140.7 (MFSA2026-03).

Google Chrome and Microsoft Edge Updates

As ever, the SANS Internet Storm Center has a per-patch breakdown by severity and urgency. Windows admins should keep an eye on askwoody.com for any news about patches that don't quite play nice with everything. If you experience any issues related to installing January's patches, please drop a line in the comments below.

Practical Implications

The latest batch of patches from Microsoft highlights the importance of keeping your software up to date. With eight critical flaws patched this month, it's clear that attackers are actively exploiting vulnerabilities in Windows and other software. This emphasizes the need for organizations to prioritize patching and to stay vigilant in their security efforts.

In particular, the removal of legacy modem drivers from Windows raises questions about how many more legacy drivers are still present on fully-patched Windows assets. This suggests that organizations should take a closer look at their software inventory and remove any unnecessary or outdated drivers to reduce their attack surface.

Forward-Looking Thoughts

As we move forward, it's clear that the threat landscape will continue to evolve. With the increasing use of AI and machine learning in cybersecurity, we can expect to see more sophisticated attacks in the future. This emphasizes the need for organizations to stay ahead of the curve and to invest in cutting-edge security solutions.

In conclusion, the latest batch of patches from Microsoft highlights the importance of staying vigilant in our security efforts. With the threat landscape continuing to evolve, it's essential that organizations prioritize patching and stay up to date with the latest security fixes.

Source: https://krebsonsecurity.com/2026/01/patch-tuesday-january-2026-edition/

Source: https://krebsonsecurity.com/2026/01/patch-tuesday-january-2026-edition/

About the Author

ZadeNor AI Team is a leading expert in CYBERSECURITY, contributing to cutting-edge research and development in the field.

Share this article

TwitterLinkedInFacebookWhatsAppRedditEmail

Related Posts

Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada

Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada

Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher. He now faces criminal hacking charges in both Canada and the United States.

419
5 min
CISA Admin Leaked AWS GovCloud Keys on Github

CISA Admin Leaked AWS GovCloud Keys on Github

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

411
5 min
'Scattered Spider' Member 'Tylerb' Pleads Guilty

'Scattered Spider' Member 'Tylerb' Pleads Guilty

A 24-year-old British national and senior member of the cybercrime group "Scattered Spider" has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors.

589
5 min